Product Documentation

Architecture overview

Sep 27, 2015

This section provides an overview to StorageZones Controller deployment architecture for proof of concept evaluations or high-availability production environments. High-availability deployment is shown both with and without a DMZ proxy such as Citrix NetScaler.

Each of the deployment scenarios require a ShareFile Enterprise account. By default, ShareFile stores data in the secure ShareFile-managed cloud. If you prefer to use private data storage, either an on-premises network share or a Windows Azure storage container, configure StorageZones for ShareFile Data.

To securely deliver data from network file shares or SharePoint document libraries to users, configure StorageZone Connectors for Network Files or for SharePoint.

Quick links to topic sections:

StorageZones Controller proof of concept deployment

Caution: A proof of concept deployment is intended for evaluation purposes only and should not be used for critical data storage.

The following diagram shows a proof of concept deployment with a single StorageZones Controller that has both StorageZones for ShareFile Data and StorageZone Connectors enabled. Although the ShareFile and Connector features are handled by the same zone, the data and access rules for those two data types are kept separate.


Proof of concept deployment of StorageZones

To evaluate a single StorageZones Controller, you can use a separate CIFS share or a folder (such as C:\ZoneFiles) on the hard drive of the StorageZones Controller. All other system requirements apply to an evaluation deployment.

In this scenario, one firewall stands between the Internet and the secure network. The StorageZones Controller resides inside the firewall to control access. User connections to ShareFile must traverse the firewall and use the SSL protocol on port 443 to establish this connection. To support this connectivity, you must open port 443 on the firewall and install a public SSL certificate on the IIS service of all StorageZones Controllers.

StorageZones Controller high availability deployment

For a production deployment of ShareFile with high-availability, the recommended best practice is to install at least two StorageZones Controllers. When you install the first controller, you create a StorageZone. When you install the second controller, you join it to the same StorageZone. StorageZones Controllers that belong to the same StorageZone must use the same file share for storage.


High availability deployment of StorageZones

In a high availability deployment the secondary servers are independent, fully functioning StorageZones Controllers. The StorageZones control subsystem randomly chooses a StorageZones Controller for operations. If the primary server goes offline, you can easily promote a secondary server to primary. You can also demote a server from primary to secondary.

You can configure multiple external public addresses, each associated with a different StorageZones Controller.

In this scenario, one firewall stands between the Internet and the secure network. StorageZones Controllers reside inside the firewall to control access. User connections to ShareFile must traverse the firewall and use the SSL protocol on port 443 to establish this connection. To support this connectivity, you must open port 443 on the firewall and install a public SSL certificate on the IIS service of all StorageZones Controllers.

Network connections

The following diagram and table describe the network connections that occur when a user logs onto ShareFile and then downloads a document from a Citrix-managed storage zone.


Logon and download connections for Citrix-managed StorageZones

Step Source Destination Protocol
1. User logon request Client company.sharefile.com:443 HTTPS
2. (Optional) Redirect to SAML IDP logon Client SAML Identity Provider URL HTTPS
3. File/folder enumeration and download request Client company.sharefile.com:443 HTTPS
4. File download Client storage-location.sharefile.com:443 HTTPS

The following diagram and table describe the network connections that occur when a user logs onto ShareFile and then downloads a document from an on-premises storage zone. In this case, the account uses Active Directory Federation Services (ADFS) for SAML logon.


Logon and download connections for on-premises StorageZones

Step Source Destination Protocol
1. User logon request Client company.sharefile.com HTTPS
2. (Optional) Redirect to SAML IDP logon Client SAML Identity Provider URL HTTPS
3. File/folder enumeration and download request Client company.sharefile.com HTTPS
4. File download authorization company.sharefile.com szc.company.com HTTPS
5. File download Client szc.company.com HTTPS

Shared storage configuration

StorageZones Controllers that belong to the same StorageZone must use the same file share for storage. StorageZones Controllers access the share using the IIS Account Pool user. By default, application pools operate under the Network Service user account, which has low-level user rights. A StorageZones Controller uses the Network Service account by default.

You can use a named user account instead of the Network Service account to access the share. To use a named user account, just specify the user name and password in the StorageZones console Configuration page. Run the IIS application pool and the Citrix ShareFile Services using the Network Service account.

StorageZones Controller DMZ proxy deployment

A demilitarized zone (DMZ) provides an extra layer of security for the internal network.


DMZ proxy deployment of StorageZones

A DMZ proxy, such as Citrix NetScaler VPX, is an optional component used to:

  • Ensure all requests to a StorageZones originate from sharefile.com, so that only approved traffic reaches the StorageZones Controllers.

    StorageZones has a validate operation that checks for valid URI signatures for all incoming messages. The DMZ component is responsible for validating signatures before forwarding messages.

  • Load balance requests to StorageZones Controllers using real-time status indicators.

    Operations can be load-balanced to StorageZones Controllers if all StorageZones Controllers can access the same files.

  • Offload SSL from StorageZones Controllers.
  • Ensure requests for files on SharePoint or network drives are authenticated before passing through the DMZ.

In this scenario, two firewalls stand between the Internet and the secure network. StorageZones Controllers reside in the internal network. User connections to ShareFile must traverse the first firewall and use the SSL protocol on port 443 to establish this connection. To support this connectivity, you must open port 443 on the firewall and install a public SSL certificate on the IIS service of the DMZ proxy servers (if they terminate the user connection).

Network connections

The following diagram and table describe the network connections that occur when a user logs onto ShareFile and then downloads a document from an on-premises storage zone deployed behind NetScaler. In this case, the account uses Active Directory Federation Services (ADFS) for SAML logon.

Authentication traffic is handled in the DMZ by an ADFS proxy server that communicates with an ADFS server on the trusted network. File activity is accessed via NetScaler in the DMZ, which terminates SSL, authenticates user requests and then accesses the StorageZones Controller in the trusted network on behalf of authenticated users. The NetScaler external address for ShareFile is accessed using the Internet FQDN szc.company.com.


Logon and download connections for on-premises StorageZones using NetScaler

Step Source Destination Protocol
1. User logon request Client company.sharefile.com HTTPS
2. (Optional) Redirect to SAML IDP logon Client SAML Identity Provider URL HTTPS
2a. ADFS logon ADFS proxy ADFS server HTTPS
3. File/folder enumeration and download request Client company.sharefile.com HTTPS
4. File download authorization sharefile.com szc.company.com (external address) HTTP(S)
4a. File download authorization NetScaler NSIP StorageZones Controller HTTPS
5. File download Client szc.company.com (external address) HTTPS
5a. File download NetScaler NSIP StorageZones Controller HTTP(S)

The following diagram and table extend the previous scenario to show the network connections for StorageZone Connectors. This scenario includes use of NetScaler in the DMZ to terminate SSL and perform user authentication for Connectors access.


Logon and download connections for StorageZone Connectors using NetScaler

Step Source Destination Protocol
1. User logon request Client company.sharefile.com HTTPS
2. (Optional) Redirect to SAML IDP logon Client SAML Identity Provider URL HTTPS
2a. ADFS logon ADFS proxy ADFS server HTTPS
3. Top-level Connector enumeration Client company.sharefile.com HTTPS
4. User logon to StorageZones Controller server Client szc.company.com (external address) HTTPS
5. User authentication NetScaler NSIP AD Domain Controller LDAP(S)
6. File/folder enumeration and upload/download requests NetScaler NSIP StorageZones Controller HTTP(S)
7. Network share enumeration and upload/download StorageZones Controller File server CIFS or DFS
7a. SharePoint enumeration and upload/download StorageZones Controller SharePoint HTTP(S)

The following diagram summarizes the supported combinations of authentication types based on whether the user authenticates at NetScaler.

Diagram of StorageZones Controller authentication options